652fbbd15cbf1de8f538117f3156452136404b06bc223985fc525ff64c9a7f05

Analysis

max time kernel
68s
max time network
69s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 22:18

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

KernelOS21H2.bat
Size

38KB
MD5

bcd25445d0d143defaefeb34257baf60
SHA1

1baf57d0ac9db658f642d50b2c61b818b9036924
SHA256

6e7280bbd4c2ae300182de2507317fe1ab100404df897f06650190dd45e7f773
SHA512

40b9c6809559293430134276d36c0bc7e7d36e256dfeb2f9cc75a88650241b32e771b6bb1ea12823ce7aa0e89cd81ac0acf73737cbd69d9051398817f8fbf56f
SSDEEP

768:lTOLfw09oGDbfrdAUY5eCNldf2BWt9vOjfEv+/ZcbXmB9ofdfv3h8f+q1wqk:hku

Score

9^/10

evasion

Malware Config

Signatures

Modifies boot configuration data using bcdedit 7 IoCs

pid	Process
2468	bcdedit.exe
2016	bcdedit.exe
1888	bcdedit.exe
2176	bcdedit.exe
2604	bcdedit.exe
1660	bcdedit.exe
556	bcdedit.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1384	sc.exe
1140	sc.exe
1716	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 15 IoCs

evasion

pid	Process
2156	timeout.exe
108	timeout.exe
2424	timeout.exe
1488	timeout.exe
1484	timeout.exe
2036	timeout.exe
1912	timeout.exe
2688	timeout.exe
2440	timeout.exe
1404	timeout.exe
2396	timeout.exe
1236	timeout.exe
2404	timeout.exe
912	timeout.exe
2076	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2224	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2624	powershell.exe
2624	powershell.exe
2472	powershell.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeShutdownPrivilege	2436	powercfg.exe
Token: SeShutdownPrivilege	2548	powercfg.exe
Token: SeShutdownPrivilege	2456	powercfg.exe
Token: SeShutdownPrivilege	2464	powercfg.exe
Token: SeShutdownPrivilege	2660	powercfg.exe
Token: SeShutdownPrivilege	2408	powercfg.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeIncreaseQuotaPrivilege	768	WMIC.exe
Token: SeSecurityPrivilege	768	WMIC.exe
Token: SeTakeOwnershipPrivilege	768	WMIC.exe
Token: SeLoadDriverPrivilege	768	WMIC.exe
Token: SeSystemProfilePrivilege	768	WMIC.exe
Token: SeSystemtimePrivilege	768	WMIC.exe
Token: SeProfSingleProcessPrivilege	768	WMIC.exe
Token: SeIncBasePriorityPrivilege	768	WMIC.exe
Token: SeCreatePagefilePrivilege	768	WMIC.exe
Token: SeBackupPrivilege	768	WMIC.exe
Token: SeRestorePrivilege	768	WMIC.exe
Token: SeShutdownPrivilege	768	WMIC.exe
Token: SeDebugPrivilege	768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	768	WMIC.exe
Token: SeRemoteShutdownPrivilege	768	WMIC.exe
Token: SeUndockPrivilege	768	WMIC.exe
Token: SeManageVolumePrivilege	768	WMIC.exe
Token: 33	768	WMIC.exe
Token: 34	768	WMIC.exe
Token: 35	768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	768	WMIC.exe
Token: SeSecurityPrivilege	768	WMIC.exe
Token: SeTakeOwnershipPrivilege	768	WMIC.exe
Token: SeLoadDriverPrivilege	768	WMIC.exe
Token: SeSystemProfilePrivilege	768	WMIC.exe
Token: SeSystemtimePrivilege	768	WMIC.exe
Token: SeProfSingleProcessPrivilege	768	WMIC.exe
Token: SeIncBasePriorityPrivilege	768	WMIC.exe
Token: SeCreatePagefilePrivilege	768	WMIC.exe
Token: SeBackupPrivilege	768	WMIC.exe
Token: SeRestorePrivilege	768	WMIC.exe
Token: SeShutdownPrivilege	768	WMIC.exe
Token: SeDebugPrivilege	768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	768	WMIC.exe
Token: SeRemoteShutdownPrivilege	768	WMIC.exe
Token: SeUndockPrivilege	768	WMIC.exe
Token: SeManageVolumePrivilege	768	WMIC.exe
Token: 33	768	WMIC.exe
Token: 34	768	WMIC.exe
Token: 35	768	WMIC.exe
Token: SeShutdownPrivilege	3048	shutdown.exe
Token: SeRemoteShutdownPrivilege	3048	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 972	1964	cmd.exe	29
PID 1964 wrote to memory of 972	1964	cmd.exe	29
PID 1964 wrote to memory of 972	1964	cmd.exe	29
PID 972 wrote to memory of 2028	972	cmd.exe	30
PID 972 wrote to memory of 2028	972	cmd.exe	30
PID 972 wrote to memory of 2028	972	cmd.exe	30
PID 1964 wrote to memory of 2184	1964	cmd.exe	31
PID 1964 wrote to memory of 2184	1964	cmd.exe	31
PID 1964 wrote to memory of 2184	1964	cmd.exe	31
PID 1964 wrote to memory of 2216	1964	cmd.exe	32
PID 1964 wrote to memory of 2216	1964	cmd.exe	32
PID 1964 wrote to memory of 2216	1964	cmd.exe	32
PID 2216 wrote to memory of 2224	2216	cmd.exe	33
PID 2216 wrote to memory of 2224	2216	cmd.exe	33
PID 2216 wrote to memory of 2224	2216	cmd.exe	33
PID 2216 wrote to memory of 2624	2216	cmd.exe	35
PID 2216 wrote to memory of 2624	2216	cmd.exe	35
PID 2216 wrote to memory of 2624	2216	cmd.exe	35
PID 2216 wrote to memory of 2688	2216	cmd.exe	36
PID 2216 wrote to memory of 2688	2216	cmd.exe	36
PID 2216 wrote to memory of 2688	2216	cmd.exe	36
PID 2216 wrote to memory of 2436	2216	cmd.exe	37
PID 2216 wrote to memory of 2436	2216	cmd.exe	37
PID 2216 wrote to memory of 2436	2216	cmd.exe	37
PID 2216 wrote to memory of 2548	2216	cmd.exe	38
PID 2216 wrote to memory of 2548	2216	cmd.exe	38
PID 2216 wrote to memory of 2548	2216	cmd.exe	38
PID 2216 wrote to memory of 2456	2216	cmd.exe	39
PID 2216 wrote to memory of 2456	2216	cmd.exe	39
PID 2216 wrote to memory of 2456	2216	cmd.exe	39
PID 2216 wrote to memory of 2464	2216	cmd.exe	40
PID 2216 wrote to memory of 2464	2216	cmd.exe	40
PID 2216 wrote to memory of 2464	2216	cmd.exe	40
PID 2216 wrote to memory of 2660	2216	cmd.exe	41
PID 2216 wrote to memory of 2660	2216	cmd.exe	41
PID 2216 wrote to memory of 2660	2216	cmd.exe	41
PID 2216 wrote to memory of 2408	2216	cmd.exe	42
PID 2216 wrote to memory of 2408	2216	cmd.exe	42
PID 2216 wrote to memory of 2408	2216	cmd.exe	42
PID 2216 wrote to memory of 2404	2216	cmd.exe	43
PID 2216 wrote to memory of 2404	2216	cmd.exe	43
PID 2216 wrote to memory of 2404	2216	cmd.exe	43
PID 2216 wrote to memory of 2424	2216	cmd.exe	44
PID 2216 wrote to memory of 2424	2216	cmd.exe	44
PID 2216 wrote to memory of 2424	2216	cmd.exe	44
PID 2216 wrote to memory of 2440	2216	cmd.exe	45
PID 2216 wrote to memory of 2440	2216	cmd.exe	45
PID 2216 wrote to memory of 2440	2216	cmd.exe	45
PID 2216 wrote to memory of 2472	2216	cmd.exe	46
PID 2216 wrote to memory of 2472	2216	cmd.exe	46
PID 2216 wrote to memory of 2472	2216	cmd.exe	46
PID 2216 wrote to memory of 2156	2216	cmd.exe	47
PID 2216 wrote to memory of 2156	2216	cmd.exe	47
PID 2216 wrote to memory of 2156	2216	cmd.exe	47
PID 2216 wrote to memory of 1488	2216	cmd.exe	48
PID 2216 wrote to memory of 1488	2216	cmd.exe	48
PID 2216 wrote to memory of 1488	2216	cmd.exe	48
PID 2216 wrote to memory of 1484	2216	cmd.exe	49
PID 2216 wrote to memory of 1484	2216	cmd.exe	49
PID 2216 wrote to memory of 1484	2216	cmd.exe	49
PID 2216 wrote to memory of 1404	2216	cmd.exe	50
PID 2216 wrote to memory of 1404	2216	cmd.exe	50
PID 2216 wrote to memory of 1404	2216	cmd.exe	50
PID 2216 wrote to memory of 2468	2216	cmd.exe	51

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\KernelOS21H2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:2028
- C:\Windows\system32\chcp.com
  chcp 708
  2⤵
  PID:2184
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\KernelOS21H2.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Set-ExecutionPolicy -ExecutionPolicy Unrestricted"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\system32\timeout.exe
    timeout /t 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2688
- - C:\Windows\system32\powercfg.exe
    powercfg /import "C:\KernelOS-Modules\KernelOS Performance v6 IDLE ON.pow" 01001011-0100-1111-0101-001188888884
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Windows\system32\powercfg.exe
    powercfg /import "C:\KernelOS-Modules\KernelOS Performance v6.pow" 01001011-0100-1111-0101-001188888883
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\system32\powercfg.exe
    powercfg /s 01001011-0100-1111-0101-001188888884
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\system32\powercfg.exe
    powercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- - C:\Windows\system32\powercfg.exe
    powercfg -delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\system32\powercfg.exe
    powercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- - C:\Windows\system32\timeout.exe
    timeout /t 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2404
- - C:\Windows\system32\timeout.exe
    timeout /t 2 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2424
- - C:\Windows\system32\timeout.exe
    timeout /t 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Get-AppxPackage -AllUsers *WindowsStore* | Remove-AppxPackage"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\system32\timeout.exe
    timeout /t 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2156
- - C:\Windows\system32\timeout.exe
    timeout /t 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1488
- - C:\Windows\system32\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1484
- - C:\Windows\system32\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1404
- - C:\Windows\system32\bcdedit.exe
    bcdedit /timeout 10
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2468
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set useplatformtick Yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2016
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set disabledynamictick Yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1888
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set bootmenupolicy Legacy
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2176
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set quietboot On
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2604
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set x2apicpolicy Disable
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1660
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set nx OptIn
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:556
- - C:\Windows\system32\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:912
- - C:\Windows\system32\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
    3⤵
    PID:1048
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_networkadapter get GUID
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:768
  - - C:\Windows\system32\findstr.exe
      findstr "{"
      4⤵
      PID:1856
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EC3FB044-F005-4A61-93F0-993EA110B8ED}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
    3⤵
    PID:1584
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EC3FB044-F005-4A61-93F0-993EA110B8ED}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f
    3⤵
    PID:296
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EC3FB044-F005-4A61-93F0-993EA110B8ED}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
    3⤵
    PID:2172
- - C:\Windows\system32\timeout.exe
    timeout /t 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2396
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /V "1806" /T "REG_DWORD" /D "0000000000" /F
    3⤵
    PID:2328
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /V "1806" /T "REG_DWORD" /D "0000000000" /F
    3⤵
    PID:1300
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Security" /V "DisableSecuritySettingsCheck" /T "REG_DWORD" /D "00000001" /F
    3⤵
    PID:1276
- - C:\Windows\system32\sc.exe
    sc delete nvagent
    3⤵
    - Launches sc.exe
    PID:1384
- - C:\Windows\system32\timeout.exe
    timeout /t 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1236
- - C:\Windows\system32\sc.exe
    sc delete edgeupdate
    3⤵
    - Launches sc.exe
    PID:1140
- - C:\Windows\system32\sc.exe
    sc delete edgeupdatem
    3⤵
    - Launches sc.exe
    PID:1716
- - C:\Windows\system32\timeout.exe
    timeout /t 10 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2036
- - C:\Windows\system32\shutdown.exe
    shutdown -r -f -t 7 -c "Please wait until your PC restarts..."
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\system32\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2076
- - C:\Windows\system32\timeout.exe
    timeout /t 4 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1912

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2260

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9276ca54f31225d9c89edfb240be3168

SHA1
21c7cfc121a135eca8ceaa06b7dd79e5e9721ecd

SHA256
892dad7f8b2f6a5c9daef77c8ca8fe26e237949266d6ac7d11c05d4918da5897

SHA512
ecf14c1da72b5d8b259258f76b37da6bd81cd4663324a2132fb4c5f701dddea20685dd065f9f3a6dc7e987cdda27aa4f9b86c82223096d62c4968f8e0cba3433

Download Submit
memory/1456-29-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2260-28-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2472-23-0x000007FEF9880000-0x000007FEFA21D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-25-0x0000000002CD0000-0x0000000002D50000-memory.dmp

Filesize
512KB

Download
memory/2472-27-0x000007FEF9880000-0x000007FEFA21D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-26-0x0000000002CD0000-0x0000000002D50000-memory.dmp

Filesize
512KB

Download
memory/2472-24-0x0000000002CD0000-0x0000000002D50000-memory.dmp

Filesize
512KB

Download
memory/2472-22-0x0000000002CD0000-0x0000000002D50000-memory.dmp

Filesize
512KB

Download
memory/2472-20-0x000007FEF9880000-0x000007FEFA21D000-memory.dmp

Filesize
9.6MB

Download
memory/2472-19-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2472-21-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2624-7-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2624-9-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2624-4-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2624-12-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2624-10-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2624-11-0x0000000002D20000-0x0000000002DA0000-memory.dmp

Filesize
512KB

Download
memory/2624-8-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2624-5-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/2624-6-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads